Dissecting RSA's 'Watering Hole' Traffic Snippet 69
rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"
Nope. (Score:4, Insightful)
The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
Re:It's easy (Score:2, Insightful)
Was that before HTTPS was big and popular?
Re:Nope. (Score:5, Insightful)
The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?